How Configuration Assessments Help Improve Cyber Defenses

There's an old adage in business; if you're not measuring something, you can't manage it. These days, information technology (IT) and information security professionals know this all too well, especially when it comes to configuration assessments.

Network performance requires constant monitoring. Cyber threats demand identification and remediation. Systems need to be securely configured upon implementation and then assessed frequently to ensure they stay that way. What's more, hackers constantly seek out poorly configured or vulnerable systems. As organizations around the world experienced with the Log4j vulnerability, hackers are constantly looking for ways try to exploit these weaknesses. After all, when one system is left unsecured, it often means that others are unsecure as well.

The Need for Ongoing Configuration Assessments

Identifying configuration vulnerabilities is a key element of a strong cybersecurity program. Improper configurations can put your organization at risk. While configuration assessment is essential, it can also be difficult to execute. First, systems very rarely come securely configured right out of the box. The sheer number of systems that many organizations need to harden is enormous, and the volume of settings that require configuration can be daunting. As teams try to meet deadlines or day-to-day business needs, systems can be put into production without basic hardening. Upgrades and other changes can lead to configuration drift, creating new vulnerabilities over time.

For IT teams, system configuration can be a big focus at the time of implementation. However, effective protection against cyber threats requires continuous attention. To reduce opportunities for hackers, organizations should perform configuration assessments regularly.

Establishing Secure Configurations

Assessment is an important step in system hardening. To understand how well your current environment matches up to industry best practices, compare your configurations to the recommendations in the CIS Benchmarks. The CIS Benchmarks are consensus-developed, best practice secure configuration guidelines used to harden target systems. More than 100 CIS Benchmarks have been developed, covering more than 25 vendor product families. The PDF versions are available to download at no cost.

Each CIS Benchmark describes – in simple language – the security benefit of each recommendation and the steps that should be taken for secure configuration. CIS Benchmarks map to the CIS Controls where applicable, making it possible to develop an actionable remediation plan with a high-level view.

Configuring systems to CIS Benchmarks recommendations is a proven way to assess and remediate configuration vulnerabilities.

Scaling Configuration Assessments

Knowing your desired end state for secure configuration is only part of the picture. Assessing system configuration at scale is also important. To understand how your system configurations conform to the CIS Benchmarks, you can use the CIS Configuration Assessment Tool (CIS-CAT), which scans against a target system’s configuration settings and reports its compliance to the corresponding Benchmark. With hundreds of recommendations in each CIS Benchmark, automated assessment is the key to accelerating the implementation of secure configurations at scale.

 

 

 

CIS-CAT Pro, which is available to CIS SecureSuite Members, has two components: the easy-to-use CIS-CAT Pro Assessor v4 GUI, and the CIS-CAT Dashboard. CIS-CAT Pro Assessor v4 supports more than 80 CIS Benchmarks for automated configuration assessments and remote endpoints. CIS-CAT Pro Dashboard is also a companion application for CIS-CAT Pro Assessor, and is a great way to visualize assessment results and track conformance over time.

Analyzing security configuration assessment results is critical to remediation planning efforts. That's why the CIS-CAT Pro Assessor includes configuration assessment evidence in the HTML report. The evidence provides an in-depth view of an endpoint's state and assists in remediation planning. To experience how CIS-CAT works, try CIS-CAT Lite, our free configuration assessment tool. The free version produces only HTML reports and supports a subset of CIS Benchmark assessments.

Assess at Scale with CIS SecureSuite

CIS-CAT Pro Assessor and CIS-CAT Pro Dashboard are both included in CIS SecureSuite Membership. In addition to CIS-CAT Pro access, CIS SecureSuite Membership provides access to multiple cybersecurity resources, including build content, full-format CIS Benchmarks, and more. Start secure and stay secure with integrated cybersecurity tools and best practice guidance for over 100 technologies. Register for one of our upcoming CIS Benchmarks webinars, which includes a demo of CIS-CAT Pro.